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Alerting Abstract WO A2 

NOVELTY - The method involves receiving a second message in a receiver together with the 
instance of the service. The second message includes a key derivation value that is used with a 
long-term key to obtain the short-term key to decrypt the instance of the service. 
DESCRIPTION - A control word is combined into an encrypted coded message (ECM) (107) with 
other service-related information. The ECM (107) is authenticated by Control Word Encrypt & 
Message Authenticate function (204) which produces a message authentication code using a keyed- 
hash value derived from the message content combined with a secret which can be shared with the 
receiving set-top box (113). This secret is preferably part or all of a multisession key (MSS) (208). 
The message authentication code is appended to the rest of the ECM (107). The CAW (202) is 
always encrypted before being sent along with the other parts of the ECM to MX (200). This 
encryption is preferably a symmetric cipher such as the Triple-DES algorithm using two distinct 
56-bit keys (which taken together comprise MSS (208). 

USE - The invention concerns systems for protecting information and more particularly concerns 
systems for protecting information that is transmitted by a wired or wireless medium against 
unauthorized access. 

ADVANTAGE - The service distribution organizations require access restrictions which are both 
more secure and more flexible than those in conventional systems 

DESCRIPTION OF DRAWINGS - The drawing is a block diagram of sendee instance encryption 
techniques. 

107 encrypted coded message 

204 Control Word Encrypt & Message Authenticate function 
200 MX 
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A cable television system provides conditional access to services. The cable television system 
includes a headend from which service "instances", or programs, are broadcast and a plurality of set 
top units for receiving the instances and selectively decrypting the instances for display to system 
subscribers. The service instances are encrypted using public and/or private keys provided by 
service providers or central authorization agents. Keys used by the set tops for selective decryption 
may also be public or private in nature, and such keys may be reassigned at different times to 
provide a cable television system in which piracy concerns are minimized. 
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Claim: 

1. Verfahren der Entschlusselung einer Diensteeinheit (325), die mit einem gegebenen 

Kurzzeitschlussel (319) verschlusselt wurde, wobei das Verfahren in einem Empfanger (333) 
ausgefuhrt wird, der ein Offentlich/Privat-Schlusselpaar besitzt, und das Verfahren durch die 
folgenden Schritte gekennzeichnet ist: 

o im Empfanger eine erste Nachricht (3 1 5) zu empfangen, deren Inhalt einen ersten 
Langzeitschlussel (309) einschliesst und unter Verwendung des offentlichen Schlussels 
(312) fiir den Empfanger (333) verschlusselt wurde; 
o den privaten Schlussel (337) zur Entschlusselung des Inhalts zu verwenden; 
o den ersten Schlussel (309) zu speichern; 

o im Empfanger (333) zusammen mit der verschlusselten Diensteeinheit (329) eine 
zweite Nachricht (323) zu empfangen, wobei die zweite Nachricht (323) einen 
Indikator fur einen zweiten Kurzzeitschlussel (319) einschliesst; 

o den Indikator und den ersten Schlussel (309) zu benutzen, urn den zweiten Schlussel zu 
erhalten; worin der zweite Schlussel dem gegebenen Schlussel (3 19), mit dem der 
Dienst verschlusselt wurde, gleichwertig ist, und 

o den zweiten Schlussel zur Entschlusselung der empfangenen Diensteeinheit zu 
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verwenden. 



1 . A method of decrypting an instance of a service (325) that has been encrypted with a given 
short-term key (319), the method being carried out in a receiver (333) that has a public key- 
private key pair and the method being characterised by the following steps: 

o receiving a first message (3 1 5) in the receiver whose contents include a first long-teim 
key (309), the contents having been encrypted using the public key (312) for the 
receiver (333); 
o using the private key (337) to decrypt the contents; 
o storing the first key (309); 

o receiving a second message (323) in the receiver (333) together with the encrypted 
instance of the service (329), the second message (323) including an indicator for a 
second short-term key (3 1 9); 

o using the indicator an the first key (309) to obtain the second key; wherein the second 
key is equivalent to the given key (319) that encrypted the service, and 

o using the second key to decrypt the received instance of the service. 



1 . Precede de decryptage d f une instance d'un service (326) qui etait cryptee avec une cle a court 
terme donnee (319), le procede etant execute dans un recepteur (333) qui comporte une paire 
de cle publique-cle privee et le procede etant caracterise par les etapes suivantes: 

o recevoir un premier message (3 1 5) dans le recepteur dont le contenu comprend une 
premiere cle a long terme (309), le contenu ayant ete crypte en utilisant la cle publique 
(312) pour le recepteur (333), 
o utiliser la cle privee (337) pour decrypter le contenu, 
o memoriser la premiere cle (309), 

o recevoir un second message (323) dans le recepteur (333) en meme temps que 

Tinstance cryptee du service (329), le second message (323) comprenant un rndicateur 
pour une seconde cle a court terme (319), 
o utiliser Tindicateur et la premiere cle (309) pour obtenir la seconde cle, dans lequel 
o la seconde cle est equivalente a la cle donnee (319) qui a crypte le service, et 
o utiliser la seconde cle pour decrypter Tinstance recue du service. 
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top units for receiving the instances and selectively decrypting the instances for display to system 
subscribers. The service instances are encrypted using public and/or private keys provided by 
service providers or central authorization agents. Keys used by the set tops for selective decryption 
may also be public or private in nature, and such keys may be reassigned at different times to 
provide a cable television system in which piracy concerns are minimized. 

Un reseau de television par cable assure un acces conditionnel a des services. Le reseau de 
television par cable comprend une tete de reseau a partir de laquelle on diffuse les "instances" de 
service ou programmes. Ce reseau comprend aussi une pluralite d'unites decodeurs concues pour 
recevoir les instances et dechiffrer selectivement les instances qui vont s f afficher pour les abonnes 
du reseau. Les instances de service sont chiffrees par des cles publiques et/ou privees fournies par 
des fournisseurs de service ou des agents d'autorisation centraux.Les cles utilisees par les decodeurs 
permettant un dechiffrement selectif peuvent aussi etre publiques ou privees et de telles cles 
peuvent etre reaffectees a differents moments pour assurer un reseau de television par cable dans 
lequel les risques de piratage sont minimises. 
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